Bishop Fox Uncovers Security Flaws in Mass Transit Mobile Apps

Bishop, Mobile Apps

Bishop Fox, the largest private professional services firm focused on offensive security testing, has uncovered an alarming number of security flaws in most major cities’ mass transit apps. Specifically, Senior Security Engineer Priyank Nigam found significant vulnerabilities in the mobile apps for Amtrak and Greyhound Lines, Inc. He presented his research, “Reverse Engineering Mobile Apps: Never Pay for Transit Again,” at the 2019 BSides Las Vegas conference.

Successful exploitation of mobile mass transit apps can range from the relatively harmless “stealing” (or forging) of e-tickets to the critical exposure of customer PII information and account takeovers. Mobile apps are often synonymous with thick clients – meaning they run locally and cannot trust their runtime and come with the same vulnerabilities as their ancestors.

“I was purchasing Amtrak tickets and saw an authentication bypass vulnerability almost immediately in their mobile app. We contacted Amtrak, told them about the issue, and they fixed it quickly. As I dug more deeply into other application-specific attack vectors, I found other mass transit companies with similar problems,” said Nigam. “Most mass transit and city level transit systems outsource the development of their mobile apps to a small number of vendors, so this is the tip of the iceberg in terms of potential exposure. Yet, many of these vendors were indifferent to fixing the vulnerabilities we identified for them.”

Previous articleGenpact to Open New Sites in Costa Rica and Mexico through Expanded Partnership with Walmart
Next articleSpark Networks Announces Successful Migration of eDarling Spain onto Cornerstone Technology Platform loveOS